Apple Confirms 'Heartbleed' Security Issue Did Not Affect Apple Software and 'Key Services'

[Bloomedis]

Why did Apple only release a statement to Re/code, a site that I never heard of until recently? It seems strange if they were going to release a statement, why wouldn't they release to a bigger news outlet like the Wall Street Journal?

The tech journalists from WSJ/AllThingsD left that paper and created Re/code. It's basically the journalistic replacement.

 

[Luba]

Ah, thanks!

But read the article on Re/code, it's not a statement released by Apple, rather it's an Apple "official" who told Re/code, so now my question is . . . why didn't Apple simply release a statement to the public about this? It's not discussing upcoming products which we know Apple is very secretive.

The tech journalists from WSJ/AllThingsD left that paper and created Re/code. It's basically the journalistic replacement.

 

[BR3W]

It seems only Android 4.1.1 version is effected per their blog http://googleonlinesecurity.blogspot.com/2014/04/google-services-updated-to-address.html

Also those using OS X should go to Keychain Access->Preferences->Certificates and hold down option key and change OCSP and CRL to "require for all certificates" and Priority to "require both" so that you don't accidentally visit sites with revoked certificates when browsing with Safari. This only works on Safari, but there is a way to enable it for Chrome. Seems Firefox 28 doesn't have this option. This can cause error "OSCP service unavailable" with some sites, notably American Express.

----------



I heard it's more like 18-20% because heartbeat function can be turned off and that 66% includes OpenSSL versions not affected by Heartbleed bug.

is there any way to ensure mobile safari checks ssl certification revocations?

 

[Bloomedis]

If you read the Agilebits blog (makers of 1password) which is usually very informative, they actually advocate keeping your old passwords until the affected services tell you to change it. Their reasoning is pretty interesting - basically until the service tells you to change the password, you can't be sure they have completed all the work necessary to secure your new password.

What I've done is individually check all my online accounts instead of waiting for them to notify me. Some security firms online will have listed websites that have updated their security.